Virtualmin virtual-server module 3.70 (security)

Howdy all,

I've just rolled out Virtualmin virtual-server module 3.70 for all platforms, as well as a number of Virtualmin plugins. This release includes a number of security-related bugfixes, and upgrading immediately is strongly recommended.

Virtualmin user Filip Palian discovered, during a security audit, that some actions in Virtualmin could potentially be used to allow users to read root-owned files, via use of symbolic links by a virtual server owner and then asking the root-level user to perform some seemingly harmless actions in the Virtualmin GUI. To prevent this, Jamie has converted a large number of file operations (not just those known to be dangerous, but pretty much any that operate on files that could be manipulated by the user) to run as the virtual server owner.

Filip also noted the potential for abuse of the Preview Website proxy feature in Virtualmin (logged in users could manipulate the URL manually to browse to any site via the Virtualmin system), which has been fixed by limiting the proxy to only browsing local websites.

Because this is a security update, upgrading immediately is strongly recommended.

Changes since 3.69:

• Updated the Piwik script installer to 0.4.1, Redmine to 0.8.4, SMF to 1.1.9, OpenGoo to 1.4.2, Squirrelmail to 1.4.19, Coppermine to 1.4.25, Magento to 1.3.2.1, phpMyFAQ to 2.0.15, DokuWiki to 2009-02-14b, OpenX to 2.8.1, phpBB to 3.0.5, TikiWiki to 3.1, Joomla to 1.5.12, Zenphoto to 1.2.5, bbPress to 1.0, phpCOIN to 1.6.2, Mantis to 1.1.8, WordPress to 2.8, MediaWiki to 1.15.0, Movable Type to 4.261, SugarCRM to 5.2.0f, MoinMoin to 1.8.4, Instiki to 0.17, Radiant to 0.8.0, CMS Made Simple to 1.6, osTicket to 1.6rc5, Magento to 1.3.2.2, Drupal to 5.19 and 6.13, Trac to 0.11.5rc1, and phpMyAdmin to 3.2.0.1.
• Added a script installer for eGroupWare 1.6.001.
• Bandwidth usage by date or month can now be graphed for sub-servers.
• Partially completed backups (where only some domains failed) are now shown in the backup logs.
• The email to mailboxes who are approaching or over quota can now be customized on the Disk Quota Monitoring page.
• Added the Convert Alias Server page to change an existing alias virtual server into a sub-server.
• Historic statistics graphs can now be plotted on a log scale, and both axis are used if multiple values are plotted.
• Extra administrators can now be limited to a subset of the parent servers domains, either from the Edit Extra Administator page or using the command-line API.
• Moved the settings for which Webmin modules are available to virtual server owners from the Module Config page to a new section in server templates, so that it can be adjusted on a per-template basis.
• Email to domain owners on virtual server creation can now include variables like $PLAN_NAME, $RESELLER_NAME and $PARENT_DOM.
• When a virtual server is disabled for exceeding its bandwidth limits, all sub-servers will be too. Similarly, they will be re-enabled if the server falls below its limit.
• Added support for migrating cPanel addon domains properly.
• Added a template option to disable addition of also-notify and allow-transfer blocks to new DNS domains.
• LXadmin/Kloxo backups can now be migrated into Virtualmin servers, preserving web content, databases, mailboxes and mail aliases.
• Changed the Squirrelmail script installer to use the new set_user_data plugin via Ian Goldstein, which allows login by email address and sets the from address correctly by default.
• Updated all code that reads or writes to files in a virtual server's home directory to operate with the user's permissions, which prevents use of malicious links to access root-owned files.

Because this is a pretty big change in how many aspects of Virtualmin operate, and the changes touch many pieces of code (and many plugin modules, which have also been updated and will be covered in another post), new bugs may have been introduced in this release. Please file a ticket with any issues you run into.

If it weren't for the security fixes going into this release, the biggest news would be Lxadmin/Kloxo migration support. This is a brand new feature, and it has only been tested with a few backups from a couple of versions of Lxadmin. It very likely has some remaining issues (control panel migrations are a black art, and must be reverse engineered from backup files, because the backup formats are never documented and are often quite complex), so we need you to file tickets if you run into any problems with migrations from your Lxadmin/Kloxo systems (ideally, we also like to see an example backup from the Lxadmin/Kloxo system that exhibits the problem, as this makes it much easier to find and fix).

And, if it weren't for the security fixes and the Lxadmin/Kloxo migration support, the biggest news (wow, there's a lot of big news in this release!) would be the move of enabled Webmin features into Server Templates. This allows even further customization on a per-template basis, but with no extra complexity in the UI, which is always nice.